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Abstract 

In recent years there has been a great deal of work done on secret sharing schemes. Secret 
Sharing Schemes allow for the division of keys so that an authorised set of users may access 
information. In this paper we wish to present a critical comparison of two of these Schemes 
based on Latin Squares |31 and RSA ^ . These two protocols will be examined in terms of their 
positive and negative aspects of their security. 
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1 Introduction 

In communications networks which require security, it is important that secrets be protected by 
more than one key. Furthermore a system of several keys with more than one way for their com- 
bination may allow for the unique recovery of a secret. Schemes that have a group of participants 
that could recover a secret are known as Secret Sharing Schemes. 

The idea of secret sharing is to start with a secret, divide it into pieces called shares, which are 
then distributed amongst users such that the pooled shares are specific subsets of users allowed to 
reconstruct the original secret, [£]. 

Threshold Schemes 

Shamir [H], describes threshold schemes as being very helpful in the management of cryptographic 
keys. The most secure key management scheme keeps the key in a single place. This sort of scheme 
may not always be appropriate, and an obvious solution to this may be to make multiple copies of 
the key. This may increase the risk associated in keeping multiple keys secret. By using Shamir's 
[H] threshold scheme concept we can get a very robust key management scheme. 
Threshold schemes are well suited to applications in which a group of individuals with conflicting 
interests must cooperate [Hj. By following Shamir's protocol and choosing the correct t and 
w parameters we can give any sufficiently large majority the authority to take some action while 
giving any sufficiently large minority veto powers. We shall now use the definition outlined in JOl 
to describe what a threshold secret sharing scheme is. 

Definition 1.1. Let t and w be positive integers, t <w. A {t,w) — threshold scheme is a method of 
sharing a key K among a set of w players (denoted by V), in such a way that any t participants 
can compute the value of K, but no group of t — 1 participants can do so. 

The value of K is chosen by a special participant which is referred to by ^U] as the dealer. The 
dealer is denoted by D and we must assume that D ^ V. When D wants to share the key K 
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among the participants in V, D gives each participant some partial information referred to earher 
as a share. The shares should be distributed secretly, so no participant knows the share given to 
any other participant. At some later time, a subset of participants B QV will pool their shares or 
return them to the dealer in an attempt to compute the key K. If \B\ > t, then they should be 
able to compute the value of as a function of the shares they collectively hold. Furthermore if 
\B\ < t, then they should not be able to compute K. If we follow the notation of Stinson jlOj . 

V = {Pi : 1 <i <w} (1.1) 

as the set of participants, IC is the set of keys and <S as the set of secrets. A useful point proposed 
by Shamir |H] is that a hierarchical scheme may be created, so that some players may have shares 
which are of more importance (weight). 

1.1 Access Structures 

In our outline of threshold schemes, we wanted t out of w players to be able to determine the 
key. A more general situation is to specifically exactly which subsets of players should be able to 
determine the key and those that should not 10 . If we describe T as being a set of subsets of V, 
and the subsets in T as being the subset of players that should be able to compute the key. T is 
denoted as being the access structure and the subsets in F are called authorised subsets. 
Furthermore if we let IC be the set of keys and S be the share set. We shall continue to use the 
dealer D who wants to share a key k £ IC, and then gives each player a share S & S. Some time 
later a subset of players will attempt to determine K from the shares they collectively hold. If 
we notice that a (i, u))-threshold scheme creates the access structure {B C Vl \B\ > t}, which is 
referred to by Stinson ^H] as the threshold access structure. 

If F is an access structure, then i? G F is a minimal authorized subset and A ^ T whenever 
A B,A ^ B. The set of minimal authorized subsets of F is denoted by Fq and is called the basis 
of F. Since F consists of all subsets of V that are supersets of a subset in the basis Fq. Thus F is 
determined uniquely as a function of Fq such that: 

T = {C QV, B CC, B eVo} (1.2) 

2 Latin Squares 

In their 1994 paper Cooper, Donovan and Seberry |Hj laid the foundation for the use of critical sets 
as a combinatorial structure which could be used to construct a secret sharing scheme. We should 
begin this section by defining a Latin Square and the concept of a critical set. 

Definition 2.1. A n x n Latin Square is an n x n matrix whose entries are taken from a set of n 
objects so that no object occurs twice in any row or column. 

Definition 2.2. A critical set of a Latin Square L defined over the set X = {1, . . . ,n\ where, 

C = {{i,j,k)(^XxXxX] (2.1) 

such that L is the only square of order n with i in the (j, k)th for every {i,j, k) G C. Furthermore 
no proper subset of C may satisfies this condition 



2 



An important construction which we need to define is the concept of a strong critical set for a Latin 
Square. 

Definition 2.3. A critical set L is a strong critical set if there exists a set {Pi, ■ ■ ■ , P-m} of m = 
V? — ||A|| partitions of order n, which satisfy the following properties: 

• Ld Pm::) Pm~i :d ■■■ D P2D Pi= A 

• V 1 < i < m - 1, Pj U {{ri, a, Cj)} = Pj+i 

• PiU {(rj,Cj,ej)} is not a partial Latin Square such that $e N {cj} 

Definition 2.4. A critical set is referred to as being semi-strong, if there exists a set {Pi, ■ ■ ■ , Pm} 
of m = — \A\ partial Latin Squares, of order n, which satisfy the following properties: 

1. LDPmD Pm-1 D---DP2DPi=A 

2. yi, 1 <i <m-l, PiU{{ri,Ci;ei)} = Pj+i such that one 0/ Pj U {(r^, ej} or Pj U {(r^, c; Cj} 
or Pi U{(r, Ci] Ci} is not a partial Latin Square for any e S N/{ei}or c G N/{ci} orr^ N/ {ri} 
respectively. 

2.1 The Proposed Scheme 

In Cooper 3^ a secret sharing scheme is constructed with a secret key made from a Latin Square 
L, of order n. Furthermore [3] notes the following characteristics: 

• The Latin Square L is kept private, but its order however is made public. 

• The Shares are based on a partial Latin Square S = {yj Ai\Ai G L} where Ai is a critical set. 
With the union is taken over all possible critical sets in L over some subset of critical sets. 

• The number of critical sets used depends on the size of the Latin Square and the number of 
shares. 

• The access structure is defined as F = {B\B C S C P} where A is some critical set in L. 
Where F is monotone 

We shall now outline the basic protocol presented by Cooper [3]: 

• A Latin Square L of order n is chosen. The number n is made public, but the Latin Square 
L is kept secret and taken to be the key. 

• The set S which is the union of a number of critical sets in L 

• For each (i, j; k) G S, the share {i,j; k) is distributed privately to a participant. 

• When a critical set of shares are brought together, they can reconstruct the Latin Square L 
and thus the secret key. 
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2.2 The Ranking Problem 

The constructions proposed by 0^2^) such that each user is given one element from a Latin 
Square and a subset of these elements may be combined to form a critical set. In Donovan a 
more general construction is given such that, a set S is the union of a number of critical sets in a 
Latin Square. Elements from the set S are dealt out to each player, so that a group of players wish 
to reconstruct the critical set and the secret can be recovered. This gives rise to the question to 
that complex issue in Latin Squares of there being some positions which are more important than 
others. 

An intruder who knew C's share and the location of the other shares, what the player did next 
would depend upon their knowledge of the concurrence scheme. If our player knew the scheme 
then one would start by guessing at two of the other shares (A and B, or D and E, or A and D) in 
which case it is an disadvantage compared to an intruder who knows a share other than C's. 
If our player does not know the scheme, it would seem most logical to try to guess D's share before 
trying to guess two other shares at once. Again, in this case, our player is at a disadvantage 
compared to an intruder who knows a share other than C's. 

2.3 Security of a Latin Square Based Scheme 

The main security issues with this type of scheme were investigated heavily by Cooper 0. We shall 
now examine these vulnerabilities: 

• An unauthorized players knows one nth of the critical set. 

• A group of unauthorized players have a greater chance of reconstructing the critical set with 
their group of shares. 

• The security of this scheme is based on the number of possible latin squares which contain 
the partial Latin Square defined by a disloyal group of players. It has been estimated that the 
number of Latin Squares containing the set C for k)} such that for a square of order 
n = 11, > 19000000 

The complexity of completing partial Latin Squares has been investigated by Colbourn |2j. The 
computational complexity of this problem is NP-Complete. However even for a Latin Square of 
order n = 11 there are still a measurable number of solutions which can be generated by brute 
force. 

3 RSA Threshold System 

Threshold schemes however are by no means perfect despite their proponents [Sj. Many of these 
schemes have a great many short falls which include at least one of the following: 

1. The scheme has no rigorous security proof 

2. Share generation and verification is interactive and requires synchronous communications 
network 

3. The size of each share increases linearly with respect to the number of players. 
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In an effort to rectify this situation ^ presents a new RSA threshold scheme that exhibits the 
following: 

1 . Unforgeable and robust if we assume that the RSA problem is hard [7j 

2. Share generation and verification is completely non- interactive [7] 

3. The size of the share is bounded by a constant and the size of the discrete logarithm problem 
and 

Shoup |£| further stresses the fact that the share is a standard RSA signature. This is underpinned 
by the fact that the public key and verification algorithm are the same as for an RSA signature 
[SI [7j . The refined model examined in this paper and in ^ where there is one threshold t for the 
maximum number of traitors and k is the minimum quorum size. 

3.1 The RSA threshold Scheme 

We must first establish a set of players w, denoted 1,. . . ,w, a trusted designer /dealer, and traitor. 
This systems also has a signature verification, a share verification and share combining algorithms. 
Shoup 9 only uses 2 variables, however in our investigation we must remain consistent with the 
majority of the literature and consider 3 parameters. So we denote the number of corrupted players 
as c, the number of shares needed to produce a signature as t and the set of all users w. We also 
mention the requirement for these parameters is, t > c + 1 and w — c> t. 

The dealing phase is initiated by the dealer generating a public key, along with a set of secret 
key shares and a set of verification keys. The corrupt player obtains the secret key shares of the 
corrupted players, the public and verification keys. The post dealing phase is when the corrupt 
player acts by submitting a signing request to the loyal players for a message. After the request 
has been submitted, a player outputs a signature share for the submitted message. 
The signature verification algorithm takes an input message, a signature and a public key to de- 
termine if the signature is valid. The signature verification algorithm takes an input message, and 
signature share on that message from player i, to determine if that signature share is valid. The 
share combining algorithm takes a message and t valid signature shares on the message with the 
public key and the verification keys. The algorithm then outputs a valid signature on that message. 
The non-forgeability of signatures protocol dictates that if an adversary forges a signature at the 
end of the protocol our player outputs a valid signature on a message that was not submitted as 
a signing request to at least t — c loyal players. Furthermore we must stress that the threshold 
signature scheme is non-forgeable if it is computationally infeasible for the corrupt adversary to 
forge a signature. 

3.2 Security of RSA Threshold 

Theorem 3.1. For t = w + 1, in the random oracle model for H' , the above protocol is a secure 
threshold signature scheme which is robust and non-forgeable. Thus we assume that the standard 
RSA signature scheme is secure. 

We shall only outline a very short comment on the proof for this theorem. One should consult Shoup 
[S] for a more detailed approach. The robustness of the threshold signature scheme is cemented 
in its non-forgeable. We assume that the standard RSA signature scheme is secure because of the 
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difficulty in solving the adaptive message attack. This statement can be justified by the random 
oracle model of [HI such that given some random x € Z* , it is hard to compute y such that = x 

4 Analysis 

We shall put forward the merits of a Latin Square SSS and the RSA based system to examine 

• A Latin Square Scheme, can provide good security when the critical set on which the scheme 
is founded is not based on strong critical or semi-strong critical partial Latin Squares. 

• Latin Squares of large order i.e. > 11 provide for a relatively secure system. 

• The current literature believes that the RSA problem is hard to compute 

• The Decision Diffie-Hellman (DDH) assumption- given some random g, /i G Q„, along with 

and h'^, it is hard to decide if a = 6 mod m. 

• Finding a correct authorized group of shares from one given share is computationally difficult. 

If we were to look at a computational attack against the Latin Square Scheme, one would need 
only to find one disloyal player and simply generate a completion for that share Although 
the prospect of finding a solution to this problem becomes more difficult as the size of the scheme 
increases beyond 11 players it is still possible. Without a scheme that allows for a disenrollment 
procedure [3], a brute force attack for computing the completion of the Latin Square is a viable 
attack. 

If one already holds one of the other share then, there is a 1 in 4 chance of completing the critical 
set and discovering the secret by simply picking one share at random [3]. A 25 percent chance 
of completing a critical set given one player is disloyal, is a risk not worth taking in our view. If 
one player were somehow compelled or convinced that becoming disloyal was appropriate then a 
scheme that placed so much trust in one player is too risky. 

Although the Latin Square model is entirely theoretical, it must be asked why one would use such 
a scheme that has two major faults. Unless one can ensure that no players will defect and become 
disloyal, then this scheme is far from desirable. In contrast RSA based protocols are one of the 
best methods available to ensure the security of a multiparty scheme for digital signatures [01 E]- 
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